Solved: Re: How to set the default search time in Splunk 6... - Page 2

wpreston · ‎10-14-2013

How can I set the default search time in Splunk 6? I'd prefer for my users to start their searches on the last 7 days instead of all time, but I can't find where to set it at. I tried changing the value for TimeRangePicker in the flashtimeline view to "Last 7 days" then restarting Splunk, but the nothing changed in my view. Below is the change I made:

< module name="TimeRangePicker">
    < param name="selected">Last 7 days< /param>

I made this change to the following views: flashtimeline, charting, dashboard, and dashboard_live. What am I missing?

ChrisG · ‎10-24-2013

Further research yields this better answer:

To do this in Splunk Enterprise 6.0, use ui-prefs.conf. If you set the value in $SPLUNK_HOME/etc/system/local, all your users should see it as the default setting. For example, if your $SPLUNK_HOME/etc/system/local/ui-prefs.conf file includes:

[search]
dispatch.earliest_time = @d
dispatch.latest_time = now

The default time range that all users will see in the search app will be today.

The configuration file reference for ui-prefs.conf is here: http://docs.splunk.com/Documentation/Splunk/latest/Admin/Ui-prefsconf

We are updating the Search Manual to include this information.

I am leaving the flashtimeline workaround information here in case it's useful to people for other reasons.

View solution in original post

wpreston · ‎10-23-2013

I have the work-around in place now and will be on the lookout for the future release. Thank you for the very detailed answers!!

cam343 · ‎10-20-2013

+1 this problem.

I tried: "flashtimeline" / "dashboard_live" / "charting" and manually restarted the Splunk service. Still Nothing..... Any help would be appreciated

How to set the default search time in Splunk 6?

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!